mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-11 15:25:10 +00:00
c9e282f236
* fix(check116): Fixed logic to include resource_id of passed users * fix(check122): Changed logic check to include explicit pass records
51 lines
3.5 KiB
Bash
51 lines
3.5 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
|
|
CHECK_ID_check122="1.22"
|
|
CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created"
|
|
CHECK_SCORED_check122="SCORED"
|
|
CHECK_CIS_LEVEL_check122="LEVEL1"
|
|
CHECK_SEVERITY_check122="Medium"
|
|
CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
|
CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
|
|
CHECK_ALTERNATE_check122="check122"
|
|
CHECK_SERVICENAME_check122="iam"
|
|
CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.'
|
|
CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.'
|
|
CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
|
|
CHECK_CAF_EPIC_check122='IAM'
|
|
|
|
check122(){
|
|
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
|
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
|
|
if [[ $LIST_CUSTOM_POLICIES ]]; then
|
|
for policy in $LIST_CUSTOM_POLICIES; do
|
|
POLICY_ARN=$(awk 'BEGIN{FS=OFS=","}{NF--; print}' <<< "${policy}")
|
|
POLICY_VERSION=$(awk -F ',' '{print $(NF)}' <<< "${policy}")
|
|
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
|
|
if [[ $POLICY_WITH_FULL ]]; then
|
|
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
|
|
else
|
|
textPass "$REGION: Policy ${policy//,/[comma]} that does not allow full \"*:*\" administrative privileges" "${REGION}" "${policy}"
|
|
fi
|
|
done
|
|
if [[ $POLICIES_ALLOW_LIST ]]; then
|
|
for policy in $POLICIES_ALLOW_LIST; do
|
|
textFail "$REGION: Policy ${policy//,/[comma]} allows \"*:*\"" "${REGION}" "${policy}"
|
|
done
|
|
fi
|
|
else
|
|
textPass "$REGION: No custom policies found" "$REGION"
|
|
fi
|
|
}
|